Needham–Schroeder protocol

Template:Short description

The Needham–Schroeder protocol is one of the two key transport protocols intended for use over an insecure network, both proposed by Roger Needham and Michael Schroeder.^[1] These are:

• The Needham–Schroeder Symmetric Key Protocol, based on a symmetric encryption algorithm. It forms the basis for the Kerberos protocol. This protocol aims to establish a session key between two parties on a network, typically to protect further communication.
• The Needham–Schroeder Public-Key Protocol, based on public-key cryptography. This protocol is intended to provide mutual authentication between two parties communicating on a network, but in its proposed form is insecure.

Here, Alice ${\displaystyle (A)}$ initiates the communication to Bob Template:Tmath. ${\displaystyle S}$ is a server trusted by both parties. In the communication:

• ${\displaystyle A}$ and ${\displaystyle B}$ are identities of Alice and Bob respectively
• ${\displaystyle K_{AS}}$ is a symmetric key known only to ${\displaystyle A}$ and ${\displaystyle S}$
• ${\displaystyle K_{BS}}$ is a symmetric key known only to ${\displaystyle B}$ and ${\displaystyle S}$
• ${\displaystyle N_A}$ and ${\displaystyle N_B}$ are nonces generated by ${\displaystyle A}$ and ${\displaystyle B}$ respectively
• ${\displaystyle K_{AB}}$ is a symmetric, generated key, which will be the session key of the session between ${\displaystyle A}$ and ${\displaystyle B}$

The protocol can be specified as follows in security protocol notation:

${\displaystyle A\to S:A,B,N_A}$

Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate with Bob.

${\displaystyle S\to A:\{N_A,K_{AB},B,\{K_{AB},A{\}}_{K_{BS}}{\}}_{K_{AS}}}$

The server generates ${\displaystyle K_{AB}}$ and sends back to Alice a copy encrypted under ${\displaystyle K_{BS}}$ for Alice to forward to Bob and also a copy for Alice. Since Alice may be requesting keys for several different people, the nonce assures Alice that the message is fresh and that the server is replying to that particular message and the inclusion of Bob's name tells Alice who she is to share this key with.

${\displaystyle A\to B:\{K_{AB},A{\}}_{K_{BS}}}$

Alice forwards the key to Bob who can decrypt it with the key he shares with the server, thus authenticating the data.

${\displaystyle B\to A:\{N_B{\}}_{K_{AB}}}$

Bob sends Alice a nonce encrypted under ${\displaystyle K_{AB}}$ to show that he has the key.

${\displaystyle A\to B:\{N_B-1{\}}_{K_{AB}}}$

Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that she is still alive and that she holds the key.

The protocol is vulnerable to a replay attack (as identified by Denning and Sacco^[2]). If an attacker uses an older, compromised value for Template:Tmath, he can then replay the message ${\displaystyle \{K_{AB},A{\}}_{K_{BS}}}$ to Bob, who will accept it, being unable to tell that the key is not fresh.

This flaw is fixed in the Kerberos protocol by the inclusion of a timestamp. It can also be fixed with the use of nonces as described below.^[3] At the beginning of the protocol:

${\displaystyle A\to B:A}$

Alice sends to Bob a request.

${\displaystyle B\to A:\{A,{N_B}^{\prime }{\}}_{K_{BS}}}$

Bob responds with a nonce encrypted under his key with the Server.

${\displaystyle A\to S:A,B,N_A,\{A,{N_B}^{\prime }{\}}_{K_{BS}}}$

Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate with Bob.

${\displaystyle S\to A:\{N_A,K_{AB},B,\{K_{AB},A,{N_B}^{\prime }{\}}_{K_{BS}}{\}}_{K_{AS}}}$

Note the inclusion of the nonce.

The protocol then continues as described through the final three steps as described in the original protocol above. Note that ${\displaystyle {N_B}^{\prime }}$ is a different nonce from Template:Tmath. The inclusion of this new nonce prevents the replaying of a compromised version of ${\displaystyle \{K_{AB},A{\}}_{K_{BS}}}$ since such a message would need to be of the form ${\displaystyle \{K_{AB},A,{N_B}^{\prime }{\}}_{K_{BS}}}$ which the attacker can't forge since she does not have Template:Tmath.

This assumes the use of a public-key encryption algorithm.

Here, Alice ${\displaystyle (A)}$ and Bob ${\displaystyle (B)}$ use a trusted server ${\displaystyle (S)}$ to distribute public keys on request. These keys are:

• ${\displaystyle K_{PA}}$ and Template:Tmath, respectively public and private halves of an encryption key-pair belonging to ${\displaystyle A}$ (${\displaystyle S}$ stands for "secret key" here)
• ${\displaystyle K_{PB}}$ and Template:Tmath, similar belonging to ${\displaystyle B}$
• ${\displaystyle K_{PS}}$ and Template:Tmath, similar belonging to Template:Tmath. (Note that this key-pair will be used for digital signatures, i.e., ${\displaystyle K_{SS}}$ used for signing a message and ${\displaystyle K_{PS}}$ used for verification. ${\displaystyle K_{PS}}$ must be known to ${\displaystyle A}$ and ${\displaystyle B}$ before the protocol starts.)

The protocol runs as follows:

${\displaystyle A\to S:A,B}$

${\displaystyle A}$ requests Template:Tmath's public keys from Template:Tmath.

${\displaystyle S\to A:\{K_{PB},B{\}}_{K_{SS}}}$

${\displaystyle S}$ responds with public key ${\displaystyle K_{PB}}$ alongside Template:Tmath's identity, signed by the server for authentication purposes.

${\displaystyle A\to B:\{N_A,A{\}}_{K_{PB}}}$

${\displaystyle A}$ chooses a random ${\displaystyle N_A}$ and sends it to Template:Tmath.

${\displaystyle B\to S:B,A}$

${\displaystyle B}$ now knows A wants to communicate, so ${\displaystyle B}$ requests Template:Tmath's public keys.

${\displaystyle S\to B:\{K_{PA},A{\}}_{K_{SS}}}$

Server responds.

${\displaystyle B\to A:\{N_A,N_B{\}}_{K_{PA}}}$

${\displaystyle B}$ chooses a random Template:Tmath, and sends it to ${\displaystyle A}$ along with ${\displaystyle N_A}$ to prove ability to decrypt with Template:Tmath.

${\displaystyle A\to B:\{N_B{\}}_{K_{PB}}}$

${\displaystyle A}$ confirms ${\displaystyle N_B}$ to Template:Tmath, to prove ability to decrypt with Template:Tmath.

At the end of the protocol, ${\displaystyle A}$ and ${\displaystyle B}$ know each other's identities, and know both ${\displaystyle N_A}$ and Template:Tmath. These nonces are not known to eavesdroppers.

This protocol is vulnerable to a man-in-the-middle attack. If an impostor ${\displaystyle I}$ can persuade ${\displaystyle A}$ to initiate a session with them, they can relay the messages to ${\displaystyle B}$ and convince ${\displaystyle B}$ that he is communicating with Template:Tmath.

Ignoring the traffic to and from ${\displaystyle S}$, which is unchanged, the attack runs as follows:

${\displaystyle A\to I:\{N_A,A{\}}_{K_{PI}}}$

${\displaystyle A}$ sends ${\displaystyle N_A}$ to Template:Tmath, who decrypts the message with Template:Tmath.

${\displaystyle I\to B:\{N_A,A{\}}_{K_{PB}}}$

${\displaystyle I}$ relays the message to Template:Tmath, pretending that ${\displaystyle A}$ is communicating.

${\displaystyle B\to I:\{N_A,N_B{\}}_{K_{PA}}}$

${\displaystyle B}$ sends ${\displaystyle N_B}$.

${\displaystyle I\to A:\{N_A,N_B{\}}_{K_{PA}}}$

${\displaystyle I}$ relays it to Template:Tmath.

${\displaystyle A\to I:\{N_B{\}}_{K_{PI}}}$

${\displaystyle A}$ decrypts ${\displaystyle NB}$ and confirms it to Template:Tmath, who learns it.

${\displaystyle I\to B:\{N_B{\}}_{K_{PB}}}$

${\displaystyle I}$ re-encrypts Template:Tmath, and convinces ${\displaystyle B}$ that she's decrypted it.

At the end of the attack, ${\displaystyle B}$ falsely believes that ${\displaystyle A}$ is communicating with him, and that ${\displaystyle N_A}$ and ${\displaystyle N_B}$ are known only to ${\displaystyle A}$ and Template:Tmath.

The following example illustrates the attack. Alice (Template:Tmath) would like to contact her bank (Template:Tmath). We assume that an impostor (Template:Tmath) successfully convinces ${\displaystyle A}$ that they are the bank. As a consequence, ${\displaystyle A}$ uses the public key of ${\displaystyle I}$ instead of using the public key of ${\displaystyle B}$ to encrypt the messages she intends to send to her bank. Therefore, ${\displaystyle A}$ sends ${\displaystyle I}$ her nonce encrypted with the public key of Template:Tmath. ${\displaystyle I}$ decrypts the message using their private key and contacts ${\displaystyle B}$ sending it the nonce of ${\displaystyle A}$ encrypted with the public key of ${\displaystyle B}$. ${\displaystyle B}$ has no way to know that this message was actually sent by Template:Tmath. ${\displaystyle B}$ responds with their own nonce and encrypts the message with the public key of Template:Tmath. Since ${\displaystyle I}$ is not in possession of the private key of ${\displaystyle A}$ they have to relay the message to ${\displaystyle A}$ without knowing the content. A decrypts the message with her private key and respond with the nonce of ${\displaystyle B}$ encrypted with the public key of Template:Tmath. ${\displaystyle I}$ decrypts the message using their private key and is now in possession of nonce ${\displaystyle A}$ and Template:Tmath. Therefore, they can now impersonate the bank and the client respectively.

The attack was first described in a 1995 paper by Gavin Lowe.^[4] The paper also describes a fixed version of the scheme, referred to as the Needham–Schroeder–Lowe protocol. The fix involves the modification of message six to include the responder's identity, that is we replace:

${\displaystyle B\to A:\{N_A,N_B{\}}_{K_{PA}}}$

with the fixed version:

${\displaystyle B\to A:\{N_A,N_B,B{\}}_{K_{PA}}}$

and the intruder cannot successfully replay the message because A is expecting a message containing the identity of I whereas the message will have identity of Template:Tmath.

• Kerberos
• Otway–Rees protocol
• Yahalom
• Wide Mouth Frog protocol
• Neuman–Stubblebine protocol
• Diffie–Hellman key exchange

Template:Reflist

Template:Commonscat

• Template:Cite web
• Template:Cite web
• Template:Cite web
• Explanation of man-in-the-middle attack by Computerphile.